Notice: IPv6 breaking issues tentatively considered blocker for F17

Tore Anderson tore at fud.no
Sat Mar 10 14:31:29 UTC 2012 

* Adam Williamson

> At the meeting, we made the call that IPv6-only networks are becoming
> a configuration sufficiently important that a serious breach of the 
> criteria in the context of an IPv6-only network is significant enough
> to be considered a release blocker, and we accepted the bug as a
> blocker.

Thank you! This is very welcome news. It is about time Fedora joins rank
with the likes of Apple Mac OS X and Microsoft Windows in supporting
IPv6-only networks out of the box, especially given Fedora's «First»
core value.

Getting the IPv6 migration moving is getting increasingly urgent, with
one part of the world (East Asia-Pacific) already out of available IPv4
addresses and another (EMEA) set to deplete in a few months, the
dual-stack transition plan originally envisioned by the IETF is simply
not going to work, there are simply not enough IPv4 addresses to last us
through the entire transition period. IPv6-only networks are therefore
inevitable, and it is important that from the end users' point of view,
they work just as smoothly and in a "plug&play" fashion as any other
dual-stacked or IPv4-only network.

> Obviously this is a pretty significant call that would set a
> precedent for future releases and proposed blockers, so we wanted to
> flag it up for wider discussion in case anyone thinks it was the
> wrong way to go.

For a long time, there have been bugs open and patches made available,
yet the issue has remained unresolved for several releases straight. For
that reason, I believe a more forceful incentive is essential if we are
get the patches applied and the bugs closed before yet another release
goes out the door without proper IPv6 support. I therefore strongly
support the use of the release blocker mechanism.

> 18:41:26 <buggbot> Bug 591630: high, urgent, ---, twoerner,
> ASSIGNED, DHCPv6 responses are not allowed by default ip6tables
> ruleset

Regarding this bug in particular, I'll just note that it there is
already a precedent. In a default Fedora installation, traffic to the
DHCPv4 client (which is the same binary as the DHCPv6 client) is allowed
from the entire internet. From a security standpoint, blocking only one
of the two does not make much sense. At least not to me, and there has
been no attempt at an explanation for any other viewpoint that I'm aware of.

There are also a few other problems that prevent IPv6-only from working
out of the box. I have also nominated those as release blockers:

https://bugzilla.redhat.com/show_bug.cgi?id=538499#c65
https://bugzilla.redhat.com/show_bug.cgi?id=798697#c3

Also, I also understand that the "ip6tables" service might be replaced
with "firewalld" in F17 (cf. https://fedorahosted.org/fesco/ticket/805).
If so, that would probably make #591630 irrelevant, however firewalld
has IPv6 problems all on its own (even more so than just breaking
DHCPv6, *all* IPv6 connectivity is broken by default), see:

https://bugzilla.redhat.com/show_bug.cgi?id=801182

I did not nominate this one as a blocker yet though, as I don't know if
firewalld will indeed be made the default solution for F17. However, if
it does, #801182 needs to be a release blocker as well.

Best regards,
-- 
Tore Anderson

More information about the devel mailing list